We are excited to announce the immediate availability of resource-level permissions for Amazon EC2 and Amazon RDS. You can now construct fine-grained AWS Identity and Access Management (IAM) policies for EC2 and RDS to control which users are authorized to perform what actions on a given set of resources. You can also define permissions for groups of resources based on tags associated with your EC2 and RDS resources or based on other attributes of the resource. Whether you are a fast growing start-up or a large enterprise moving mission-critical workloads to AWS, these new features will give you more granular visibility and control over your development, test, staging and production deployments on EC2 and RDS.

Using these resource-level permissions, you can define different permissions for different applications, environments, cost centers, departments, work groups, or any other organizational schema that you choose. For example, you can define specific user groups such as “Developers” and “Production System Administrators,” and then tag the appropriate EC2 and RDS resources with “Development,” “Test,” and “Production.” By setting up these granular IAM policies, you can dictate that only Developers can modify or delete ”Development” and “Test” resources, and only “Production System Administrators” can modify and delete “Production” resources. If you already use tags for Tag-Based Cost Allocation Reports, you can reuse the same tags for defining resource-level permissions.